All Products
Search

This Product

    Data Security Center:Mask sensitive data in OSS images

    Document Center

    Data Security Center:Mask sensitive data in OSS images

    Last Updated:Dec 10, 2025

    Data Security Center (DSC) lets you mask sensitive data in images that are stored in Object Storage Service (OSS). You can create image data masking tasks to scan images in a target bucket for sensitive information, such as ID card numbers, license plate numbers, and faces, and mask the information with a gray rectangle. This topic describes how to create an OSS image data masking task.

    Scope

    • Supported information: ID card information (the Chinese mainland), license plate information (the Chinese mainland), faces, names (Simplified Chinese), addresses (the Chinese mainland), and Unified Social Credit Codes

    • Image requirements: Images must be smaller than 10 MB and in PNG, JPG, JPEG, BMP, or WEBP format.

    • Bucket coverage: All buckets that belong to the current account are supported. If you enable the multi-account management feature, buckets that belong to your member accounts are also supported.

    • Bucket requirements: You can create only one image data masking task for each OSS bucket.

    Enable the image data masking service

    The image data masking service is a value-added service of DSC and is billed on a subscription basis. To enable the image data masking feature, perform the following steps.

    If you have not activated DSC

    1. Go to the Data Security Center buy page.

    2. In the Edition section, select Advanced Edition, Enterprise Edition, or Value-added Plan. For more information, see Purchase DSC.

    3. In the Value-added Module section, select Enable to enable Image Masking and enter the Image Masking Quota.

    4. (Optional) To identify sensitive information in images and define a Sensitivity Level before data masking, you must also enable Enhanced Image Identification and purchase a quota for Enhanced Image Identification Capacity.

    5. Select a Duration and click Buy Now. Then, complete the payment.

    6. After you complete the purchase, if this is your first time logging in to the Data Security Center console, grant the required permissions on your cloud resources as prompted.

    If you have activated DSC but not the image data masking service

    1. Log in to the Data Security Center console.

    2. On the Overview page, click Upgrade.

    3. On the Upgrade/Downgrade page, in the Feature Extension Module section, turn on Image Masking and specify the Image Masking Quota.

    4. (Optional) To identify sensitive information in images and define a Sensitivity Level before data masking, you must also enable Enhanced Image Identification and purchase a quota for Enhanced Image Identification Capacity.

    5. Click Buy Now and complete the payment.

    First-time use

    The first time you navigate to the Risk Governance > Image Masking page, a welcome dialog box appears. You can perform operations as needed.

    image

    • Masking Test: Test the data masking feature by uploading an image to view the effect. After you close this welcome page, you can also find the Masking Test entry in the upper-right corner of the page.

    • Enable identification first.: To identify and classify sensitive information in images, click Enable identification first. and enable the Classification and Grading switch for the bucket in the Asset Center. For more information, see Enable features.

    • Mask Now: If you have identified the images to be masked and do not need to classify their sensitive information, click Mask Now and proceed to Static data masking.

    Static data masking

    Create a data masking task

    1. Log on to the Data Security Center console.

    2. In the navigation pane on the left, select Risk Governance > Image Masking.

    3. On the Static Desensitization tab, click Sync Bucket. Find the target bucket and click Mask in the Actions column. Then, set the following configuration items.

      Parameter

      Description

      Masking Scope

      Configure the scope of images to be masked. DSC performs a full scan of the images in the selected bucket:

      • If you want to mask all eligible images in the bucket, you do not need to configure this parameter.

      • If you want to mask specific images in the bucket, configure this parameter. Then, configure Match by Prefix or Match by Suffix to select a file path matching method for the bucket.

        For example, a bucket contains the following eligible images: example/dir01/test01.png, example/dir02/test02.jpg, testexample/testdir/testim.jpg, and test.jpg.

        • Match Prefix: Enter the prefix example. Only the matched images example/dir01/test01.png and example/dir02/test02.jpg are masked.

        • Match Suffix : Enter the suffix jpg. Only the matched images test.jpg, testexample/testdir/testim.jpg, and example/dir02/test02.jpg are masked.

      Scan Type

      • Run Now: Immediately scans and masks the images.

      • Periodic Run: Configure a Scheduled Execution Time. DSC will mask the incremental images in the bucket at 00:00:00 on the specified cycle. To execute the task immediately, select Run Again Now.

      Image De-identification

      • Masking Object: Select one or more items from the list of supported information types.

      • De-identification Method: Currently, only Cover is supported.

    View the results of a data masking task

    After the configuration is complete, you can view the created data masking task in the task list. If the image data masking quota is sufficient, the task runs as expected.

    When the Masking Status of the task changes to Finished:

    • Click View Details in the task's Actions column to view the results.

      • Masked Images / Recognized Images displays the number of masked images.

      • Executions is the total number of times the data masking task has been executed. A single image can be processed multiple times.

      • In the Image Details section, click the number next to Executions to view details of the data masking applied to each image.

    • After data masking, the image name remains unchanged. By default, the masked image is stored in the aliyun_dsc_desensitization folder in the source bucket, and the original path is preserved. You can view the masked image in the file directory of the corresponding bucket in the OSS console.

      For example, if an image is located at exampledir/test.png in a bucket, the masked image is stored at aliyun_dsc_desensitization/exampledir/test.png.

    Dynamic data masking

    You can use dynamic data masking to mask data by calling an API or to mask specific images.

    1. On the Risk Governance > Image Masking page, you can click the Dynamic desensitization tab.

    2. In the upper-right corner of the page, click API and Permission Details to view the API documentation. Specify parameters such as BucketName, ObjectKey, ServiceRegionId, and MaskRuleIdList, and make the API call.

      Note

      Click Test in the API documentation to call the API directly in OpenAPI Explorer. If the call is successful, OpenAPI Explorer automatically generates sample SDK code.

    3. After a successful call, you can view information such as Number of Masked Images, Masked Images, and Executions in the console.

    FAQ

    How do I increase my data masking quota?

    On the Risk Governance > Image Masking page, you can view your available image data masking quota. If the remaining quota is insufficient, click Upgrade to purchase additional data masking capacity on the Upgrade/Downgrade page.image

    You can also go to the Overview page and click Upgrade to purchase data masking capacity.